The past year has not been easy for security in the software industry.
First was the SolarWinds breach caused by exploits in software tools downloaded from a third-party vendor. Then there was the more recent vulnerability in the open-source Log4j Apache logging framework, which the tech world has been working to patch since mid-November.
The software community is increasingly faced with security questions, and startups are struggling to provide answers. One of them is Tidelift Inc., a startup founded in 2017 with a mission to help organizations manage the open source software that powers many modern enterprise applications today.
“Our mission is to make open source software work better for everyone,” said Donald Fischer (pictured), co-founder and CEO of Tidelift. “We’re making it work better for all organizations and governments, for everyone who depends on open source software to build the apps we all rely on, and to make open source work better for creators. from open source. We want to do our part to help both sides of this equation.
Fischer spoke with David Nicholson, host of theCUBE, SiliconANGLE Media’s live streaming studio, ahead of the AWS Startup Showcase: Open Cloud Innovations event. They discussed the prevalence of open source in enterprise applications, Tidelift’s software-as-a-service-based security solution, and the startup’s work with Amazon Web Services Inc. (*Disclosure below.)
Business application management
Vulnerabilities such as the Log4j example have brought closer scrutiny of the need for more extensive security controls in open source software. Open source has become widely used by enterprise information technology leaders, and simply removing key software tools that drive core applications is not an option.
“Don’t panic, boss, but only 70-80% of our company’s software is third-party open source software,” Fischer said. “In the modern age, that means relying on open source packages and technologies across a range of languages and ecosystems. We use it all here, boss, and we don’t have a business unless we do.
Recognizing this reality, Tidelift built its business around a SaaS solution to manage thousands of open source components in an organization. Tidelift seeks to do this by building relationships with the maintainer community while recognizing that many open source contributors are motivated to create new tools for reasons unrelated to their current full-time jobs.
“There’s a pride in their work and the impact they have,” Fischer explained. “The challenge with this model is that when it’s just some kind of impact and pride, good feeling-driven effort, maybe all the standards that organizations could want software to respect are not respected. You may not have access to some of the more annoying aspects of commercial software, such as security engineering and some of the documentation and release engineering. That’s the gap we’re really trying to fill at Tidelift.
Meet specific standards
According to Fischer, there is an opportunity for open source maintainers to earn money through Tidelift for creating a baseline standard in which open source package releases are released without known defects. The work includes using resources such as the National Vulnerability Database, a government repository of standards-based vulnerability management data.
“We’re asking them to help us ensure that the software organizations depend on meets certain concrete enterprise standards,” Fischer said. “We work with open source maintainers to ensure that we have determined which versions of software packages are affected by known security vulnerabilities.”
The goal is to create a set of open source software options that app developers can build into releases with confidence.
“They will incorporate Tidelift into their release process to ensure that 70% or 80% of the software they ship that comes from GitHub, comes from the Python Package Index, or npm, or Maven Central Repository for Java, meets the standards of their company,” Fischer said. “They can work with us and our unique network of hundreds of these open source maintainers to ensure that there is a flow of known good approved packages into their applications. This is an unsolved problem for almost all serious organizations.
In November, Tidelift joined the AWS Independent Software Vendor Accelerate program to co-sell its services with the cloud provider. Tidelift will work with AWS field vendors to help improve the health and safety of the open source software supply chain.
“It’s really important, whether it’s an edge device or a cloud data center, that applications meet standards, especially when it comes to security,” Fischer said. “AWS recognizes this need and opportunity for its customers, and we are working with them. Accelerate gives us the ability to collaborate with AWS and work together to solve common customer challenges. »
The Tidelift model is based on a belief in two absolutes. The first is that companies will continue to use open source software as a key resource for developing critical applications to run the business. The other is that the community spirit of the open source community will remain firmly in place.
“There is no other way forward than to build with modern building blocks,” Fischer said. “If you think of this network of open source maintainers working together, a rising tide lifts all boats.”
Here’s the full video interview, which is part of SiliconANGLE and theCUBE’s coverage of the AWS Startup Showcase: Open Cloud Innovations event. (*Disclosure: Tidelift sponsored this segment of theCUBE. Neither Tidelift nor other sponsors have editorial control over the content of theCUBE or SiliconANGLE.)